Auvik can log into my FortiGate firewall, but won't back up its configuration

Cause

If Auvik can log into a FortiGate but cannot back up its configuration, it’s typically because the FortiGate cannot reach the Auvik Collector over the required protocol (FTP) — even if management access (HTTPS/SSH) is working.

This is common in site-to-site (S2S) VPN deployments, where the FortiGate is at a remote site and the Auvik Collector is located at a main office.

Resolution

To allow Auvik to successfully back up the FortiGate configuration across an S2S VPN, you must:

1. Assign a management IP to the VPN interface
2. Create proper address objects
3. Update Phase 2 selectors
4. Allow traffic in firewall policies
5. Validate connectivity using a manual backup test

Step 1: Assign VPN Interface IPs (Management Network)

On both FortiGates:

• Navigate to: Network → Interfaces
• Locate the IPsec VPN interface used for the S2S tunnel
• Assign /32 IPs from an unused subnet:

⚠️ Use a subnet that does not overlap with any existing client networks.

Step 2: Create Address Objects

On both FortiGates:

Create:

Name: Remote S2S VPN Interface - Management
IP: 192.168.100.2/32 (remote side)

Ensure Auvik Collector Object Exists

• Go to Policy & Objects → Addresses
• Confirm there is an address object for the Auvik Collector IP
• If not:
  • Create one using the collector IP found in Auvik

To find the Collector IP:

1. Open Auvik
2. Select the client
3. Click Auvik Collectors (bottom-left)
4. Note the Collector IP

Step 3: Configure Phase 2 Selectors

Navigate to: VPN → IPsec Tunnels → Edit Tunnel → Phase 2 Selectors

On the Remote FortiGate:

Create a new selector:

• Name: S2S VPN Management
• Local Address: Remote S2S VPN Interface - Management
• Remote Address: Auvik Collector

On the Main Office FortiGate:

Create a corresponding selector:

• Name: S2S VPN Management
• Local Address: Auvik Collector
• Remote Address: Remote S2S VPN Interface - Management

Step 4: Update Firewall Policy (Main Office FortiGate)

Navigate to:
Policy & Objects → Firewall Policy

• Locate the policy handling traffic between:
  • Remote site subnet → Main office subnet
• Edit the policy:
  • Add Remote S2S VPN Interface - Management as an additional Source Address

Step 5: Verify Tunnel Status

• Go to VPN → IPsec Tunnels
• Confirm the tunnel and Phase 2 selectors are UP

Check status:

• FortiGate: Hover over tunnel status
• SonicWall (if applicable): Check VPN status page

Step 6: Test Backup via CLI

On the Remote FortiGate:

1. Open CLI Console
2. Run:

execute backup config ftp <deviceID>\backup.exp <collectorIP>:21 <clientname> auvik

Example:

execute backup config ftp 855335547386700488\backup.exp 10.0.0.101:21 contoso auvik

Parameter Breakdown:

How to find Device ID:

1. Open the device in Auvik
2. Look at the URL:

https://contoso.us4.my.auvik.com/#/entity/device/850260206776459598/dashboard

→ 850260206776459598 is the Device ID

Step 7: Confirm Backup in Auvik

• Go to the device in Auvik
• Navigate to: Documentation → Configurations
• Confirm a new backup appears

Summary

For S2S VPN environments, configuration backups fail when:

• The VPN does not include a route for the collector
• No Phase 2 selector exists for management traffic
• Firewall policies do not allow the traffic

The solution is to:

• Use a dedicated /32 management network over the VPN
• Explicitly allow it via:
  • Address objects
  • Phase 2 selectors
  • Firewall policies

Note: In the case where you have only one subnet going through the VPN and the firewall's LAN interface belongs to it, the firewall may return an error if you try to assign to the tunnel an IP from that same subnet. If that happens, you'll need to assign to the tunnel interface an IP address from a different subnet. That can be a /32 address allocated just for that purpose. Make sure you adjust your routing and tunnel policies to allow traffic to and from that new address.

If that doesn’t resolve your issue, or if your FortiGate doesn’t need to traverse a VPN to reach the collector, contact Auvik Support.